We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Tom Simonite

A View from Tom Simonite

An Epic Hack Performed With a Few Simple Tricks

The victim’s Apple devices suddenly went dark last Friday. Similar attacks remain possible.

  • August 7, 2012

Lax security practices by Apple and Amazon cost one journalist a year’s worth of photos and other data last Friday, in a chilling tale that’s a reminder that keeping data secure is far from a solved problem.

Mat Honan of Wired laid out what happened yesterday, explaining how he had all of his data wiped from his iPhone, iPad and MacBook using Apple’s remote wipe feature, which is intended to protect the data on a gadget if it is lost or stolen. Attackers got control of Honan’s Apple account by first taking advantage of a flaw in one of Amazon’s systems that gave them the last four digits of his credit card number. That and an email address was all that was needed to convince Apple to hand over control of his account. As Honan put it:

[T]he very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.

Amazon changed its customer service policies today to prevent the trick that compromised Honan’s account, Wired reports. Apple has so far said little, apart from denying the existence of the loophole that got Honan hacked, which he claims he was able to replicate several times.

Honan’s Gmail account was also compromised as part of the attack, the goal of which was simply to wrest control of his three letter twitter account, @mat. Many people have blogged and tweeted today to say that Honan – and everybody else – should use Google’s two factor authentication, which is a more secure alternative to the traditional username and password. It involves using both a regular password and a one-time code generated by a phone app every time you log in.

Two factor authentication could have helped protect Honan, and could boost the security of many other services, too. But despite Google’s best efforts, it still feels clunky to use. The debut of NFC chips in phones might reduce the burden, though, and Intel showed off laptops at CES back in January that processed online payments by having a person tap their phone on a computer to authenticate. However, companies will still need ways to help people that forget their password to get back into their accounts. That means that we will remain at the mercy of various combinations of security questions and systems, like those that let Honan down, for a while yet. 

In general, the best advice available is to understand how the services you use protect your account, and adjust your security questions, passwords and back up emails accordingly. Also, to avoid losing data irretrievably as Honan did, to frequently back up your data in multiple places.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.